This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[connect-wg] Programmatic way to answer, "Who is sending me this stuff?"

Previous message (by thread): [connect-wg] Programmatic way to answer, "Who is sending me this stuff?"
Next message (by thread): [connect-wg] New on RIPE Labs: Looking at France-IX with RIPE Atlas and RIS

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James Bensley jwbensley at gmail.com
Thu Sep 10 21:51:15 CEST 2015

On 9 September 2015 at 11:13, snash <snash at arbor.net> wrote:
>
> If I receive some traffic at an IX peering router interface, I might want to know how I got it.
> If it is a stream of bad traffic I might want to ask my upstream peer to help turn it off.
>
> How do I find out who did send it to me?
> If I capture a sample packet I could see the source MAC address.  Now I have to identify who owns the device with that MAC.

On my peering router I look at the “ARP table”, it's a magical thing
that lists layer 2 MAC addresses and the corresponding layer 3 IP
address. Whilst not many IX's provide real time lists of member MACs
(as members change hardware or ports on hardware, move links between
IX edge devices etc) the IPs are usually (always?) manually assigned
by the IX so they are fully know to which member they are in use by,
at any given time. [1]

> Is there any guidance from the IX operators on how to do this?

As above, I've not seen an IX that doesn't distribute the IPs manually
so by giving them the IP they can tell me straight away (if it isn't
listen in the members portal, which at LINX for example, it is!).
Another option is looking through peeringDB through the existing MySQL
interface or new API in version 2 of the site.

> I'm sure phone calls / emails to Ops teams are not cost effective for anyone.

If I called an IXP I was present at and asked them to trace a MAC
address through the MAC tables of their devices, and they couldn't, we
have a much bigger problem than a bit of unwanted traffic. We have
clowns running an IXP!

> A common programmatic method across IXes would suit my use-case admirably.
>
> I'd like to hear from anybody who either has a method in an IX, or who would like a method to exist.

I must be missing the point because this doesn't seem like a major
issue, or am I spoilt in the UK and the IXPs here are just way better
than everywhere else? [2]

Cheers,
James,

[1] Any IX not limiting the number of MAC addresses per port (and
doing ARP inspection if possible) is asking for trouble.

[2] When I say “way better”, I mean being able to look at MAC tables
and find a port that originates a MAC address, would be the minimum
requirement to be better than "shit".

Previous message (by thread): [connect-wg] Programmatic way to answer, "Who is sending me this stuff?"
Next message (by thread): [connect-wg] New on RIPE Labs: Looking at France-IX with RIPE Atlas and RIS

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ connect-wg Archives ]